17 Feb, 2011
1 commit
-
Signed-off-by: Vladislav P
Signed-off-by: Gustavo F. Padovan
02 Feb, 2011
1 commit
-
This patch fixes a minor issue that two connection responses will be sent
for one L2CAP connection request. If the L2CAP connection request is first
blocked due to security reason and responded with reason "security block",
the state of the connection remains BT_CONNECT2. If a pairing procedure
completes successfully before the ACL connection is down, local host will
send another connection complete response. See the following packets
captured by hcidump.2010-12-07 22:21:24.928096 < ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 19 08 00 41 00 53 00 03 00 00 00 ........A.S.....
... ...2010-12-07 22:21:35.791747 > HCI Event: Auth Complete (0x06) plen 3
status 0x00 handle 12
... ...2010-12-07 22:21:35.872372 > ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Connect rsp: dcid 0x0054 scid 0x0040 result 0 status 0
Connection successfulSigned-off-by: Liang Bao
Acked-by: Ville Tervo
Signed-off-by: Gustavo F. Padovan
20 Jan, 2011
8 commits
-
The conn->sec_level value is supposed to represent the current level of
security that the connection has. However, by assigning to it before
requesting authentication it will have the wrong value during the
authentication procedure. To fix this a pending_sec_level variable is
added which is used to track the desired security level while making
sure that sec_level always represents the current level of security.Signed-off-by: Johan Hedberg
Signed-off-by: Gustavo F. Padovan -
When there is an existing connection l2cap_check_security needs to be
called to ensure that the security level of the new socket is fulfilled.
Normally l2cap_do_start takes care of this, but that function doesn't
get called for SOCK_RAW type sockets. This patch adds the necessary
l2cap_check_security call to the appropriate branch in l2cap_do_connect.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
The logic for determining the needed auth_type for an L2CAP socket is
rather complicated and has so far been duplicated in
l2cap_check_security as well as l2cap_do_connect. Additionally the
l2cap_check_security code was completely missing the handling of
SOCK_RAW type sockets. This patch creates a unified function for the
evaluation and makes l2cap_do_connect and l2cap_check_security use that
function.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
If an existing connection has a MITM protection requirement (the first
bit of the auth_type) then that requirement should not be cleared by new
sockets that reuse the ACL but don't have that requirement.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
This reverts commit 045309820afe047920a50de25634dab46a1e851d. That
commit is wrong for two reasons:- The conn->sec_level shouldn't be updated without performing
authentication first (as it's supposed to represent the level of
security that the existing connection has)- A higher auth_type value doesn't mean "more secure" like the commit
seems to assume. E.g. dedicated bonding with MITM protection is 0x03
whereas general bonding without MITM protection is 0x04. hci_conn_auth
already takes care of updating conn->auth_type so hci_connect doesn't
need to do it.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
Fix a bug introduced in commit 9cf5b0ea3a7f1432c61029f7aaf4b8b338628884:
function rfcomm_recv_ua calls rfcomm_session_put without checking that
the session is not referenced by some DLC. If the session is freed, that
DLC would refer to deallocated memory, causing an oops later, as shown
in this bug report: https://bugzilla.kernel.org/show_bug.cgi?id=15994Signed-off-by: Lukas Turek
Signed-off-by: Gustavo F. Padovan -
The blacklist should be freed before the hci device gets unregistered.
Signed-off-by: Johan Hedberg
Signed-off-by: Gustavo F. Padovan -
CC: Marcel Holtmann
CC: "Gustavo F. Padovan"
CC: João Paulo Rechi Vita
Signed-off-by: David Sterba
Signed-off-by: Gustavo F. Padovan
05 Jan, 2011
1 commit
23 Dec, 2010
7 commits
-
Does not allow any channel different of HCI_CHANNEL_RAW and
HCI_CHANNEL_CONTROL to bind.Signed-off-by: Gustavo F. Padovan
-
The initialization function used by hci_open_dev (hci_init_req) sends
many different HCI commands. The __hci_request function should only
return when all of these commands have completed (or a timeout occurs).
Several of these commands cause hci_req_complete to be called which
causes __hci_request to return prematurely.This patch fixes the issue by adding a new hdev->req_last_cmd variable
which is set during the initialization procedure. The hci_req_complete
function will no longer mark the request as complete until the command
matching hdev->req_last_cmd completes.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
This patch adds Bluetooth Management interface events for controller
addition and removal. The events correspond to the existing HCI_DEV_REG
and HCI_DEV_UNREG stack internal events.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
This patch implements the read_info command which is used to fetch basic
info about an adapter.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
This patch implements the read_index_list command through which
userspace can get a list of current adapter indices.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
This patch implements the initial read_version command that userspace
will use before any other management interface operations.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
The command handlers for bluetooth management messaging should be able
to report errors (such as memory allocation failures) to the higher
levels in the call stack.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan
16 Dec, 2010
1 commit
-
Conflicts:
drivers/net/wireless/iwlwifi/iwl-1000.c
drivers/net/wireless/iwlwifi/iwl-6000.c
drivers/net/wireless/iwlwifi/iwl-core.h
08 Dec, 2010
2 commits
-
In order to send data to management control sockets the function should:
- skip checks intended for raw HCI data and stack internal events
- make sure RAW HCI data or stack internal events don't go to
management control socketsIn order to accomplish this the patch adds a new member to the bluetooth
skb private data to flag skb's that are destined for management control
sockets.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
Add initial code for handling Bluetooth Management interface messages.
Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Acked-by: Andrei Emeltchenko
Signed-off-by: Gustavo F. Padovan
07 Dec, 2010
3 commits
-
Changed Makefile to use -y instead of -objs
because -objs is deprecated and not mentioned in
Documentation/kbuild/makefiles.txt.Signed-off-by: Tracey Dent
Signed-off-by: David S. Miller -
Due to commit 63ce0900 connections initiated through TTYs created with
"rfcomm bind ..." would have security level BT_SECURITY_SDP instead of
BT_SECURITY_LOW. This would cause instant connection failure between any
two SSP capable devices due to the L2CAP connect request to RFCOMM being
sent before authentication has been performed. This patch fixes the
regression by always initializing the DLC security level to
BT_SECURITY_LOW.Signed-off-by: Johan Hedberg
Acked-by: Luiz Augusto von Dentz
Signed-off-by: Gustavo F. Padovan -
If such event happens we shall reply with a Command Reject, because we are
not expecting any configure request.Signed-off-by: Gustavo F. Padovan
Signed-off-by: Marcel Holtmann
02 Dec, 2010
16 commits
-
Do not use assignment in IF condition, remove extra spaces,
fixing typos, simplify code.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo F. Padovan -
Do not initialize static vars to zero, macros with complex values
shall be enclosed with (), remove unneeded braces.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo F. Padovan -
Remove extra spaces, assignments in if statement, zeroing static
variables, extra braces. Fix includes.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo F. Padovan -
Do not use assignments in IF condition, remove extra spaces
Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo F. Padovan -
create_singlethread_workqueue() may fail with errors such as -ENOMEM. If
this happens, the return value is not set to a negative value and the
module load will succeed. It will then crash on module unload because of
a destroy_workqueue() call on a NULL pointer.Additionally, the _busy_wq workqueue is not being destroyed if any
errors happen on l2cap_init().Signed-off-by: Anderson Lizardo
Signed-off-by: Gustavo F. Padovan -
rfcomm_get_sock_by_channel() was the only user of this function, so I merged
both into rfcomm_get_sock_by_channel(). The socket lock now should be hold
outside of rfcomm_get_sock_by_channel() once we hold and release it inside the
same function now.Signed-off-by: Gustavo F. Padovan
-
l2cap_get_sock_by_psm() was the only user of this function, so I merged
both into l2cap_get_sock_by_psm(). The socket lock now should be hold
outside of l2cap_get_sock_by_psm() once we hold and release it inside the
same function now.Signed-off-by: Gustavo F. Padovan
-
Fix checkpatch errors like:
"ERROR: do not use assignment in if condition"
Simplify code and fix one long line.Signed-off-by: Andrei Emeltchenko
Acked-by: Ville Tervo
Signed-off-by: Gustavo F. Padovan -
In timer context we might delete l2cap channel used by krfcommd.
The check makes sure that sk is not owned. If sk is owned we
restart timer for HZ/5.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
Check that socket sk is not locked in user process before removing
l2cap connection handler.lock_sock and release_sock do not hold a normal spinlock directly but
instead hold the owner field. This means bh_lock_sock can still execute
even if the socket is "locked". More info can be found here:
http://www.linuxfoundation.org/collaborate/workgroups/networking/socketlockskrfcommd kernel thread may be preempted with l2cap tasklet which remove
l2cap_conn structure. If krfcommd is in process of sending of RFCOMM reply
(like "RFCOMM UA" reply to "RFCOMM DISC") then kernel crash happens....
[ 694.175933] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 694.184936] pgd = c0004000
[ 694.187683] [00000000] *pgd=00000000
[ 694.191711] Internal error: Oops: 5 [#1] PREEMPT
[ 694.196350] last sysfs file: /sys/devices/platform/hci_h4p/firmware/hci_h4p/loading
[ 694.260375] CPU: 0 Not tainted (2.6.32.10 #1)
[ 694.265106] PC is at l2cap_sock_sendmsg+0x43c/0x73c [l2cap]
[ 694.270721] LR is at 0xd7017303
...
[ 694.525085] Backtrace:
[ 694.527587] [] (l2cap_sock_sendmsg+0x0/0x73c [l2cap]) from [] (sock_sendmsg+0xb8/0xd8)
[ 694.537292] [] (sock_sendmsg+0x0/0xd8) from [] (kernel_sendmsg+0x48/0x80)Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
Structure hidp_conninfo is copied to userland with version, product,
vendor and name fields unitialized if both session->input and session->hid
are NULL. It leads to leaking of contents of kernel stack memory.Signed-off-by: Vasiliy Kulikov
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
Structure cmtp_conninfo is copied to userland with some padding fields
unitialized. It leads to leaking of contents of kernel stack memory.Signed-off-by: Vasiliy Kulikov
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
Structure bnep_conninfo is copied to userland with the field "device"
that has the last elements unitialized. It leads to leaking of
contents of kernel stack memory.Signed-off-by: Vasiliy Kulikov
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo F. Padovan -
In Bluetooth there are no automatic updates of remote device names when
they get changed on the remote side. Instead, it is a good idea to do a
manual name request when a new connection gets created (for whatever
reason) since at this point it is very cheap (no costly baseband
connection creation needed just for the sake of the name request).So far userspace has been responsible for this extra name request but
tighter control is needed in order not to flood Bluetooth controllers
with two many commands during connection creation. It has been shown
that some controllers simply fail to function correctly if they get too
many (almost) simultaneous commands during connection creation. The
simplest way to acheive better control of these commands is to move
their sending completely to the kernel side.This patch inserts name requests into the sequence of events that the
kernel performs during connection creation. It does this after the
remote features have been successfully requested and before any pending
authentication requests are performed. The code will work sub-optimally
with userspace versions that still do the name requesting themselves (it
shouldn't break anything though) so it is recommended to combine this
with a userspace software version that doesn't have automated name
requests.Signed-off-by: Johan Hedberg
Signed-off-by: Gustavo F. Padovan -
This patch adds a single function that's responsible for requesting
authentication for outgoing connections. This is preparation for the
next patch which will add automated name requests and thereby move the
authentication requests to a different location.Signed-off-by: Johan Hedberg
Signed-off-by: Gustavo F. Padovan -
The current remote and remote extended features event callbacks logic
can be made simpler by using a label and goto statements instead of the
current multiple levels of nested if statements.Signed-off-by: Johan Hedberg
Signed-off-by: Gustavo F. Padovan
